OID_802_11_ADD_KEY Functionality

I'm trying to understand the use of OID_802_11_ADD_KEY and configuring
an adapter to use WPA-PSK.

After spending some time using SoftICE and capturing calls to
DeviceIoControl() when the OID_802_11_ADD_KEY function is being passed
to the driver, I'm confused as to what exactly is sent when. From the
information I got out of the Wi-Fi Protected Access (V3.1)
Specification, it seems to indicate that a hmac-sha1 hashed 256 key is
sent to the driver. Clearly, however, this is not what is going on.

I'm seeing at least two calls to OID_802_11_ADD_KEY. The first and
(optional it seems) second one both have the KeyIndex set to 0xE0000000
which indicates a PWK transmit key. The last call to
OID_802_11_ADD_KEY has the KeyIndex set to 0x20000001 which is another
a group key with index = 1.

In neither case, however, can I figure out what process generated the
KeyMaterial. I've noted that the first and 2nd (if present) calls are
always unique where the last call (i.e. the one with KeyIndex =
0x20000001) is always the same.

Advertisements

Just to close this out and provide some information to someone else
having this same question and suffering from the same confusion...

The process of using OID_802_11_ADD_KEY is significantly MORE complex
than using OID_802_11_ADD_WEP. In spite of their similar appearance,
they are very different.

Here is an outline of the process of associating with an AP using
WPA-PSK (i.e. Pre-shared key). The process of straight WPA is similar
but was not in the scope of what I was doing so it's left as an
exercise to the reader. ;-)

Background information. There are MULTIPLE specs covering this process
and (unfortunately) they all supercede each other. So you need to
refer to all of them at once. What I collected and used were:

(this is the 2001 version which is free. There is a 2004 version out
that is US$70.00 if you want the latest and greatest.)

Another useful resource is a network sniffer to capture packets being
sent between your WiFi card and the AP. You can, of course, spend lots
of money on an overpriced commercial packet capture tool but I've found
the free Analyzer tool works great:

I also found CompuWare's SoftICE debugger helpful to snoop on what WZC
was doing on the programming side. It's commercial and expensive but I
keep my copy up-to-date all the time since it comes in so hande. I
don't need it often but when I do need it, it's worth every bit of its
cost. (I think WinDbg can do some of the same stuff now but I'm too
familiar with SoftICE to change now.)

Code snippets are really handy for some of the encryption code needed
to do WPA in your client. A good source for all the code you will need
is:

In particular the 802.11i PRFs code, the 802.11i Password Hashing code,
and the test vectors in TKIP MSDU example, with fragmentation.

Platform. This works ONLY on Windows XP (or Windows 2003 Server) since
earlier version of Windows lack driver support for wireless devices.
In other words Windows versions older than XP don't support wireless.
Vendors can support wireless functions themselves but Windows doesn't
know about it. Windows uses a combination of Wireless Zero
Configuration (WZC) and NDIS Usermode I/O (NDISUIO or NDISPROT on 2003
Server) to accomplish this. Some claim that you should not use NDISUIO
yourself but should go through the headache of making your own protocol
driver from the DDK sample (see the NDISPROT sample in the 2003 Server
DDK). It's been my observation that use of NDISUIO by 3rd parties has
already become common (since the alternative is a major headache) and
while Microsoft may change it in the future, they will break a lot of
things if they do so. Note also that there are some minor differences
between XP and XP SP1 in using NDISUIO so your application should be
aware of them. See:

for details and a differing opinion on using NDISUIO. Note, however,
that this company has an interest in you not using NDISUIO since they
sell a product that lets you access the NDIS driver without NDISUIO.

Now to the process... Prior to using OID_802_11_ADD_KEY (which is
actually the LAST step in this process) you must exchange security
information with the AP (called the AUTHENTICATOR in the specs) using
what is referred to as the "4 way handshake." Actually this is a 5-way
handshake since you must start the process with another packet. The
main information on this process is the 802.1X spec. Note, however,
that you must use the 802.11i (which supercedes 802.1X) and also the
WPA spec (which supercedes 802.11i). So when examining any item be
sure you check the other specs if what you are seeing is confusing.

To start the authentication process, your wireless card (called the
SUPPLICANT in the specs) sends an EAPOL-Start (EAPOL - Extensible
Authentication Protocol Over LAN) packet to the AP. You do this by
forming the packet itself using the MAC address of the AP and your WiFi
card (you may have to scan the APs to get the MAC) and sending it
through NDISUIO using the WriteFile() WIN32 API.

Once you do that, the AP will respond with the #1 message of the 4-way
handshake. You get this from NDISUIO using the ReadFile() API. (By
the way, using either of these on NDISUIO is demonstrated in the
NDISPROT DDK sample.)

Now you have enough information to take your hashed WPA-PSK password
and the locally generated SNonce (a random number) and the ANonce
received from the AP and calculate the Pairwise Transient Key (PTK)
using the PRF-512 function from the deadhat.com web site above. This
gives you pieces of data that will be needed to respond to the AP with
#2 message of the 4-way handshake.

After that you again use ReadFile() on NDISUIO to get the #3 message
from the AP which will have in it the Groupwise Transient Key (GTK).
Finally you reply with message #4 which is mainly for confirming
things.

Now you have in your possession the TWO things needed for
OID_802_11_ADD_KEY which, if you used SoftICE, would know is called
twice, once with a pairwise key and once with a group key. The
pairwise key is the PTK and the group key is the GTK both of which were
generated as a result of the 4-way handshake with the AP.

Obviously there is a bit more to this that I've outlined above but when
I first got into this I knew almost nothing. If I had seen a writeup
similar to the above it would have saved me days of struggle.

Hi, i'm trying to use OID_802_11_ADD_KEY with wpa_psk.
According to jwh20, i have to do a "4way handshake" before using OID_802_11_ADD_KEY with WriteFile() and ReadFile() functions.
I don't know how do these functions work?
In my application i use the DeviceIoControl function. Can i use it to do the 4 way handshake?
if someone could give me a code example i would appreciate it.

Share This Page

Welcome to Velocity Reviews!

Welcome to the Velocity Reviews, the place to come for the latest tech news and reviews.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to chat with other enthusiasts and get tech help from other members.
Sign up now!